You are here

I've experienced problems with CAPTCHA 7.x-1.0-beta1 in forms with AJAX: CAPTCHA could never be solved (see http://drupal.org/node/1024370, #9 helped me with that).

Now, in beta2, there is another problem. If a form has AJAX, and you change the element that triggers de AJAX, you get this message: "CAPTCHA session reuse attack detected.".

I've found that _captcha_get_posted_captcha_info() uses $form_state['submitted'] to detect a submitted form. An AJAX 'submitted' form does not have that flag, so I think $form_state['triggering_element'] should be used, instead. Patch is attached.

Not work for me...
After detect-ajax-form-7.x-1.x-2.patch "CAPTCHA session reuse attack detected" has gone, but "The answer you entered for the CAPTCHA was not correct" take place after patch...
And impossible to submit form.

As noted, the patches in #3 and #8 don't seem to be the right solution. The real trouble seems to be that a new captcha token is generated every time the form is rebuilt -- but if the form is being rebuilt as the result of an ajax submission, that new token may well not be sent back with the response, so the next time the form is submitted, the token validation check will fail.

The attached patch fixes this by reusing the existing token if a form is submitted via ajax. I'm not a security expert, though, so I'm not sure what the implications of this are. It seems to me the only alternative is for Captcha to attach a process callback to every form with a captcha, and recursively replace every #ajax callback with one which also sends the new captcha token. Not impossible, but is it worth it?

The patch (#11) did not work for me. In my case, I have a form where when the country dropdown is changed, the whole form is refreshed since there are other fields being modified on the form by ajax. I am using 7.x-1.0-beta2+10-dev version.

#11 works in my case, but it seems like the real problem is that captcha is doing validation in the form #process step. Perhaps the session reuse check could be moved from _captcha_get_posted_captcha_info() to captcha_validate()?

In the code it is not clear why so much information is passed through to the front-end form and then retrieved from the front-end form, when it is also stored persistently in the $form_state; if this part of the code isn't clear, I can't effectively patch the bug.